Welcome to InsightFinder Docs!

Labels (Alert, Change Event, Log, Metric)

Label Settings

The Label Settings section in InsightFinder UIE allows you to define, organize, and fine-tune how log data is classified, filtered, and interpreted within a project.These configurations help the system automatically detect patterns, extract meaningful fields, and associate logs with key operational categories such as incidents, anomalies, data quality issues, and more.

Accessing Label Settings

1. Log in to InsightFinder UIE
2. Navigate to Settings → System Setting.

3. Select the appropriate System, then click the gear icon settings next to the Log, Alert or Change Event project you want to configure.
4. Click on the Labels tab to open the label configuration page

Detection Keywords

Purpose:
Detection Keywords are keywords or regular expressions used to identify which log entries should generate alerts.
Adding Detection Keywords

1. Click the Add button to create a new detection keyword entry.
2. Each entry supports configuration of several parameters:
Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Detection Regex:

Define a regular expression (case-sensitive) that matches the log content you want to detect.

4. Advanced Configuration

Pattern Name Regex:

• Click Config to add multiple regular expressions within a single pattern.
• Assign a Pattern Name and a Pattern Key to help organize and reference related regex patterns.

Event Severity Options:

• You can mark each regex as Critical and/or Hot Event Only depending on the type of alert needed.
  

Incident Escalation:

• Enable the Escalate to Incident to create an incident when the pattern is detected.
• Define Threshold and Instances to specify when escalation should occur.

5. Managing Detection Keywords
Order:

• Detection keywords are matched in the order listed. You can drag and reorder them to control evaluation priority.

Removal:

• Click Remove to delete any unused or incorrect patterns.

Using Known System List

• At the top of the Label Settings page (beside the Add button), you’ll find the Known System List feature.
• Select a system from the dropdown list.
• Click the Update button.
• Choose the Type (JSON field name or String content) and click Update again.
• This feature automatically populates the system with all detected regex patterns from the selected known system.
• You can then customize these auto-generated patterns individually as needed.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Training Allowlist

Purpose:
The Training Allowlist defines specific keywords or regular expressions that are always included during model training.
This ensures important log patterns are consistently considered when building or updating the detection model.

Adding Allowlist Keywords

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:
Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Allowlist Regex:
Define a regular expression (case-sensitive) that matches the log content you want to add.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Training Blocklist

Purpose:
The Training Blocklist defines keywords or regular expressions that are always excluded during model training.
This helps prevent irrelevant, noisy, or repetitive log patterns from influencing the model’s learning process and ensures cleaner, more accurate detection results.

Adding Blocklist Keywords

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:
Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Regex:

Define a regular expression (case-sensitive) that matches the log content you want to block.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Detection Blocklist

 

Purpose:
The Detection Blocklist specifies keywords or regular expressions for log entries that should be excluded from alert detection.
Any log entry matching a blocklist pattern will be filtered out and will not trigger alerts.
This helps reduce noise and prevents non-critical or repetitive log messages from generating unnecessary alerts.

Adding Blocklist Keywords

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:

Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Regex:

Define a regular expression (case-sensitive) that matches the log content you want to block.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Feature

Purpose:
The Feature section allows you to define keywords or regular expressions (e.g., IP addresses, error codes, hostnames) that are used to extract log entry count distributions.
These features help the system analyze and detect behavior patterns or anomalies in your log data.

Adding Feature Entries

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:

Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Feature Name:

Provide a meaningful name for the feature (e.g., sourceIP, errorCode, userID).

4. Regex:

Define a regular expression (case-sensitive) that matches the log content you want to extract and analyze.

5. Grouping Priority:

Choose the grouping level from the dropdown options:

• None
• Primary
• Secondary
• Tertiary

This determines how extracted features are grouped for visualization and correlation in analysis.

6. Outlier Detection:

Checkmark this option if you want the feature to be included in outlier detection during analysis.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Anomaly Feature

Purpose:
The Anomaly Feature section allows you to define keywords or regular expressions used to extract key metrics or fields from log data that contribute to anomaly detection.
These features help the system identify unusual patterns, behaviors, or trends in the log stream based on extracted values.

Adding Feature Entries

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:

Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Feature Name:

Provide a meaningful name for the feature (e.g., sourceIP, errorCode, userID).

4. Regex:

Define a regular expression (case-sensitive) that matches the log content you want to extract and analyze.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Incident Labels

Purpose:
The Incident Labels section allows you to define keywords or regular expressions that are used to identify log entries indicating incidents.
These configurations help the system automatically recognize logs that represent critical events, errors, or service-impacting issues.

Adding Incident Keywords

1. Click the Add button to create a new detection keyword entry.
2. Each entry supports configuration of several parameters:

Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Detection Regex:

Define a regular expression (case-sensitive) that matches the log content you want to detect.

4. Advanced Configuration

Pattern Name Regex:

• Click Config to add multiple regular expressions within a single pattern.
• Assign a Pattern Name and a Pattern Key to help organize and reference related regex patterns.

Define Threshold and Instances to specify when escalation should occur.

5. Managing Detection Keywords

Order:

• Detection keywords are matched in the order listed. You can drag and reorder them to control evaluation priority.

Removal:

• Click Remove to delete any unused or incorrect patterns.

Using Known System List

• At the top of the Label Settings page (beside the Add button), you’ll find the Known System List feature.
• Select a system from the dropdown list.
• Click the Update button.
• Choose the Type (JSON field name or String content) and click Update again.
• This feature automatically populates the system with all detected regex patterns from the selected known system.
• You can then customize these auto-generated patterns individually as needed.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Data Quality

Purpose:
The Data Quality section allows you to define keywords or regular expressions that are used to identify log entries related to data quality.
These configurations help detect logs that indicate issues or patterns affecting the accuracy, completeness, or consistency of incoming data.

Adding Data Quality Entries

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:

Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Condition Regex:

Click Config to define one or more regular expressions that specify conditions for detecting data quality issues.

4. Data Filling Regex:

Click Config to add regular expressions that specify data extraction or filling rules.

These can be used to capture or substitute missing or invalid values from log entries for quality assessment.

5. Rule Type:

Select a rule category from the dropdown options:

• Consistency – for checking field consistency across log entries.
• Numeric – for verifying numeric ranges or thresholds.
• Regex – for validating data format using custom regex patterns.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Normal Log Pattern Name

Purpose:
The Normal Log Pattern Name section allows you to define keywords or regular expressions that are used to identify and name common log patterns.
These patterns help the system categorize repetitive or expected log entries, improving pattern-based analysis and reducing noise in anomaly detection.

Adding Normal Log Pattern Entries

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:

Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Regex:

Define one or more regular expressions that specify conditions for detecting data.

4. Assign a Pattern Name and a Pattern Name Key to help organize and reference related regex patterns.
5. Using Known System List

• At the top of the Label Settings page (beside the Add button), you’ll find the Known System List feature.
• Select a system from the dropdown list.
• Click the Update button.
• Choose the Type (JSON field name or String content) and click Update again.
• This feature automatically populates the system with all detected regex patterns from the selected known system.
• You can then customize these auto-generated patterns individually as needed.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

Instance Name

Purpose:
The Instance Name section allows you to define keywords or regular expressions that are used to extract the instance name from log entries.
This helps the system associate logs with specific instances (e.g., server, container, or application component), enabling accurate grouping, analysis, and correlation across multiple sources.

Adding Instance Name Entries

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:

Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Regex:

Define regular expressions that specify conditions for detecting data.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Sensitive Data Filter

Purpose:
The Sensitive Data Filter section allows you to define keywords or regular expressions that are used to identify and filter out sensitive data from log entries.
This helps ensure that confidential or personally identifiable information (PII) is not processed, stored, or displayed in analysis and alerts.

Adding Sensitive Data Filter Entries

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:

Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Regex:

Define regular expressions that specify conditions for detecting data.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Operator Notes

Purpose:
The Operator Notes section allows you to define keywords or regular expressions that are used to identify summary or annotation-type log entries.
These entries often contain human-written notes, operational summaries, or diagnostic comments that provide context for incidents or system behavior.

Adding Operator Notes Entries

1. Click the Add button to create a new keyword entry.
2. Each entry supports configuration of several parameters:

Type:
Choose between:

• JSON string name – for structured log data (JSON format)
• String content – for plain text log messages

3. Regex:

Define regular expressions that specify conditions for detecting data.

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.

 

Category Labels

Purpose:
The Category Labels section allows you to define keywords or regular expressions that are used to create category labels for log entries.
These labels help group logs into logical categories (e.g., authentication, database, network) for easier filtering, analysis, and visualization within InsightFinder UIE.

Adding Category Label Entries

1. Click the Add button to create a new category label entry
2. For each entry, configure the following parameters:

Category:

• Enter a descriptive category name that represents the type of logs this rule will identify.
• For example: Authentication, Database, Network

Keywords(s):

• Define one or more keywords or regular expressions that match the desired log entries.
• Multiple keywords can be separated by commas ,
• Example:login, authentication failed, user logout

 

Note:

• Don’t forget to click the Update button at the bottom of the page to save your changes.